Creating a truststore for all nodes

Create a truststore that is used to ensure that all nodes recognize the certificate authority (CA). Even when using a well-known certificate authority, DataStax recommends creating a truststore with the signing CA certificate or certificate chain (following the instructions from your CA). Most well-known CA certificates are already available through the DataStax Enterprise (DSE) Java implementation.


  1. Create a single truststore, and add the root certificate to the truststore. For the <keystore_type>, enter JKS:

    If prompted whether to import the certificate, enter yes.

    keytool -keystore <dse-truststore.jks> \
    -storetype <keystore_type> \
    -importcert -file '<rootca.crt>' \
    -keypass <keystore_password> \
    -storepass <truststore_password> \
    -alias <rootca_name> \

    Truststore that contains the root certificate.

    Use the same truststore that contains the root certificate on all nodes.


    Valid types are JKS, JCEKS, PKCS11, or PKCS12. For file-based keystores, use PKCS12.

    DataStax supports PKCS11 as a keystore_type on nodes with cassandra or advanced workloads. The advanced workload support was added for DSE 6.8.2 and later. If PKCS11 is needed, in server_encryption_options or client_encryption_options, specify the keystore_type as PKCS11 and the keystore as NONE.

    PKCS11 is not supported as a truststore_type.

    Default: JKS


    Certificate used to sign (authorize) DSE node SSL certificates.


    Password used to protect the private key of the key pair.

    Default: none


    Password required to access the keystore.

    Default: none


    Name (alias) used to identify the root certificate when importing into the node’s keystore. For example, in a rootca.conf file, the CN = CA_CN entry shown in Creating a root CA certificate.

    A message displays indicating that the certificate was added. The truststore now contains a single entry.

    Certificate was added to keystore
  2. Verify the truststore to ensure that it contains the root certficate:

    keytool -list \
    -keystore <dse-truststore.jks> \
    -storepass <truststore_password>

    The command output indicates the keystore type, provider, number of entries, creation date, and certification details.

    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 1 entry
    <rootca_name>, Aug 8, 2019, trustedCertEntry,
    Certificate fingerprint (SHA1): <SHA1-has>h

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,